happyz
/
memos
mirror of https://github.com/usememos/memos.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
memos/server
History
memoclaw 9d3a74bccc fix(api): make credentials write-only and restrict sensitive settings to admins 
Security fixes for credential leakage across three resources:

- NOTIFICATION setting: restrict GetInstanceSetting to admin-only
  (was publicly accessible, exposing SMTP credentials)
- SMTP password: never return SmtpPassword in API responses (write-only)
- S3 secret: never return AccessKeySecret in API responses (write-only)
- OAuth2 ClientSecret: never return in API responses for any role
  (was previously returned to admins); remove redactIdentityProviderResponse
  in favor of omitting the field at the conversion layer
- Preserve-on-empty: when updating settings with an empty credential
  field, preserve the existing stored value instead of overwriting
  (applies to SmtpPassword, AccessKeySecret, and ClientSecret)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 		2026-03-29 07:34:00 +08:00
..
auth refactor: consolidate duplicated auth logic into auth package 2026-02-24 23:08:16 +08:00
router fix(api): make credentials write-only and restrict sensitive settings to admins 2026-03-29 07:34:00 +08:00
runner refactor: rename workspace to instance throughout codebase 2025-11-05 23:35:35 +08:00
server.go feat(mcp): enhance MCP server with full capabilities and new tools (#5720) 2026-03-13 18:15:52 +08:00